27 Data Protection Policy and Direct Marketing and Cookies Policy
PDF 156 KB
For decision.
Additional documents:
Decision:
ORDERED that Executive:
1. Approve the Data Protection Policy
2. Approve the Direct Marketing and Cookies Policy.
3. Delegates authority to the senior officer designated as the Council’s Senior Information Risk Owner to approve all future substantive revisions, minor amendments and administrative updates of the Data Protection Policy and Direct Marketing and Cookies Policy.
Minutes:
The Mayor submitted a report for Executive's consideration the purpose of the report was to seek approval of the Council’s Data Protection Policy and Direct Marketing and Cookies Policy. It also requested that authority was delegated to the Council’s Senior Information Risk Owner (SIRO) to approve future substantive revisions, minor amendments and administrative updates to both policies.
The Executive was advised that the policies formed a comprehensive information governance framework designed to ensure the Council complied with its statutory obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR) and the Data (Use and Access) Act 2025. Members heard that the Data Protection Policy established the Council’s overarching approach to the lawful and fair processing of personal data, whilst the Direct Marketing and Cookies Policy provided specific controls and governance arrangements relating to electronic marketing communications and the use of cookies and similar technologies.
The Executive noted that Middlesbrough Council processed personal data on a significant scale in delivering statutory functions and public services and, in doing so, acted as a public authority subject to a range of legislative requirements. Members were advised that the Council’s approach to meeting those obligations was encapsulated within the Data Protection Policy.
Members also heard that the Direct Marketing and Cookies Policy reflected the requirements of PECR, Information Commissioner’s Office (ICO) Codes of Practice and related guidance. The policy clarified roles and responsibilities, consent standards, technical requirements and governance arrangements relating to marketing communications and cookie compliance.
The Executive was informed that the policies applied to all personal data processing undertaken by Middlesbrough Council and several constituent data controllers, including the Electoral Registration Officer/Returning Officer, the South Tees Safeguarding Children Partnership, the South Tees Youth Justice Service and the Superintendent Registrar. The policies established responsibilities for ensuring that personal data was processed lawfully, fairly and transparently, remained accurate and secure and was retained only for as long as necessary.
The Executive noted that the policies supported both public authority and competent authority processing by setting out clear governance, accountability arrangements, and defined roles and responsibilities for elected Members, senior managers, Information Asset Owners, employees and the Data Protection Officer.
OPTIONS
While data protection legislation did not explicitly require organisations to maintain standalone policies adopting such policies was regarded as good practice and was strongly recommended by the Information Commissioner’s Office (ICO) under its Accountability Framework.
Formal policies helped demonstrate how an organisation met its legal obligations, embedded data protection principles into everyday practice, and provided clarity on roles, responsibilities, and expectations for those handling personal data. In a public sector context, where large volumes of personal and sensitive data were processed, the absence of a policy would have made it more difficult to evidence compliance, manage risk consistently, and demonstrate accountability to regulators, service users, and the public.
ORDERED that Executive:
1. Approve the Data Protection Policy
2. Approve the Direct Marketing and Cookies Policy.
3. Delegates authority to the senior officer ... view the full minutes text for item 27